Regarding the user authentication and access logs
5 views
Skip to first unread message
Kashgarinn
Jul 28, 2010, 10:21:08 AM7/28/10
to ccTiddly
Hi there.
I've recently set up Xampp and CCTW 1.85 and was successful in
connecting it to my companies LDAP.
I was then able to enable HTTPS, and everything seemed fine.
I then checked the access logs under apache\logs, and found that the
username and passwords aren't encrypted in the GET command... whoops.
So I'm seeing a GET command like this:
(IP) - - [28/Jul/2010:14:09:04 +0000] "GET /itwiki/handle/
loginFile.php?cctuser=(AD
User)&cctpass=(userpass)&&nocache=0.32558464522304653 HTTP/1.1" 200 40
"https://itwiki/itwiki/helpdesk/" "Mozilla/5.0 (Windows; U; Windows NT
5.1; en-GB; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 (.NET CLR
3.5.30729)"
Is there something I should have done to configure my apache not to
show it, or is this some problem with GET always being plaintext?
Is there some way I can make sure that the user/pass isn't being sent
via plaintext over the internet?
I've recently set up Xampp and CCTW 1.85 and was successful in
connecting it to my companies LDAP.
I was then able to enable HTTPS, and everything seemed fine.
I then checked the access logs under apache\logs, and found that the
username and passwords aren't encrypted in the GET command... whoops.
So I'm seeing a GET command like this:
(IP) - - [28/Jul/2010:14:09:04 +0000] "GET /itwiki/handle/
loginFile.php?cctuser=(AD
User)&cctpass=(userpass)&&nocache=0.32558464522304653 HTTP/1.1" 200 40
"https://itwiki/itwiki/helpdesk/" "Mozilla/5.0 (Windows; U; Windows NT
5.1; en-GB; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 (.NET CLR
3.5.30729)"
Is there something I should have done to configure my apache not to
show it, or is this some problem with GET always being plaintext?
Is there some way I can make sure that the user/pass isn't being sent
via plaintext over the internet?
Kashgarinn
Jul 29, 2010, 11:08:03 AM7/29/10
to ccTiddly
I've done a bit of research and thankfully HTTPS does mean that
nothing is sent plaintext over the internet, but because the server of
course gets the information, the access logs contains the plaintext
version of the user/pass..
Still researching into how to either scramble the password so it's not
legible from the logs, or remove it from the logs.
S.
nothing is sent plaintext over the internet, but because the server of
course gets the information, the access logs contains the plaintext
version of the user/pass..
Still researching into how to either scramble the password so it's not
legible from the logs, or remove it from the logs.
S.
whatever
Sep 1, 2010, 3:04:42 AM9/1/10
to ccTiddly
That would be a great thing. Passwords in plaintext just make me
shiver.
w
shiver.
w
Kashgarinn
Sep 17, 2010, 8:18:53 AM9/17/10
to ccTiddly
I've fiddled a bit with this, and if you change index.php under
\plugins\ldap\: $tiddler['body'] = "config.macros.ccLogin.sha1 =
false;";
- to true the password becomes sha1 encrypted and it's at least
protected from being read from plaintext in the access and ssl logs,
but it doesn't authenticate, so we need to add code to decode the sha
and use it to authenticate..
S.
\plugins\ldap\: $tiddler['body'] = "config.macros.ccLogin.sha1 =
false;";
- to true the password becomes sha1 encrypted and it's at least
protected from being read from plaintext in the access and ssl logs,
but it doesn't authenticate, so we need to add code to decode the sha
and use it to authenticate..
S.
Reply all
Reply to author
Forward
0 new messages